It's very important. Application of defined controls for PII, P-I-I remember, Personally Identifiable Information. The service provider must make any constraints arising from specific arrangements of the cloud service operation clear. In other words, part of the agreement to do business is, when the cloud service provider has a problem, it's going to impact my ability to interact, use and consume and provide my data, I'm supposed be told about that. That's part of the agreements we have with the SLA. If you put a PLA in place, agreements around that as well. So there is an expectation of access, an expectation of service. And if the provider cannot meet that expectation, they are contractually bound and obligated to tell us. If they're going to do something that may impact negatively the protection of my data, this is important. So, recently, we've seen some sterling examples of exploits happening in the web and in the cloud, all sorts of things happening where data has been exposed. I saw an article recently about one of the big cable service providers in the US having their wireless service, their Wi-Fi service, for some reason, operating in a strange way or something wrong. We're not sure what was happening. We're still trying to figure it out. But basically, it was exposing customer's full PII information, the personal name, address, account number, phone number, all that stuff. When you would log on to the Wi-Fi to use it as a customer, it was exposing everything. Shouldn't have been doing that because now obviously people can see that. So this is an issue. It's a concern, and we have to have controls in place to stop that from happening. The Cloud Security Alliance Cloud Controls Matrix, what's known as the CCM, it's kind of interesting. CCM comes from the Cloud Security Alliance. The CSA is an industry of focal group that is going to be focused on cloud security. They actually partner with IAC squared to run the CCSP, the Cloud Certified Security Professional Credential, another credential that you may be interested in and may be focused on if you're doing cloud-related stuff, but that's for another time of course. So, the CSA has this document called the Cloud Controls Matrix. I thought we would take a look at it together. It is a security controls framework that allows us to understand how to operate securely in the cloud. Let's take a look at what this looks like. It's actually pretty cool. So the Cloud Security Alliance can be found here, in this case, https://cloudsecurityalliance.org, all one word. You can go out and take a look for it on your own. When you go down towards the bottom of the page, you'll find a whole bunch of downloads. You'll find the Cloud Controls Matrix. CCM is there, whatever the current version is. You can click download on it. When you do, you will be able to see it. And so, what you will find is, you will download a zip file. That zip file will have two documents in it, a Spreadsheet, a little PDF that tells you some information about it. Now, once you've done all that, what you then are able to do is open that Spreadsheet if you'd like, and it looks like this. This is the actual CCM. And when you go in there and you take a look, you'll see that the CCM has several areas of information, maybe of importance to us, a control domain. So, what are the controls? The control cloud or the cloud control ID, whatever the unique identifier is. So, the first control and the application interface security, applications security space is called AIS-01, second one, AIS-02, et cetera. We have an updated control specification, definition, some information. Then, it goes across and does a crosswalk, and this is the really cool part. Let's get ourselves zoomed in here just a little bit. And it does a crosswalk as you can see across architectural relevancy. So what areas of the architecture does it work for us in? The compute, the storage, the app, the data. What cloud service delivery model applicability it have? SaaS, Paas, and IaaS. X indicates yes. So, X indicates select, meaning yes. It's good for all of these. We then have supplier relationships. See those right here. So we can see it's for the service provider. Maybe not, in this case, the consumer, but this one has both. We then have a crosswalk across all of the different solution frameworks that exist that offer controls and guidance in various areas across the world, all the relevant ones. There's about 20 of them in here that we can reference and see and can look at guidance from. And so, you can see, as we scroll through here, that we have AICPA, which is a financial services reporting solutions. We have BITS. We have BIS from Germany. So, we have the German national guidance here from their information security group. Canada with PEPEDA, the CCM Version 1.X, older guidance COBIT Version 4.1 and Version 5, the newest version of COBIT from Asaka, the governance risk and compliance framework. We have COPPA. We have the CSA enterprise architecture, formally what's known as the TCI, the Trusted Cloud Initiative. We have ENISA, so the European guidance. We have 9546 European data protection and privacy directive. We have FedRAMP, the Federal Government, United States government security controls matrix for the cloud. We have FERPA, one of the things I mentioned for the federal education space in the US. We have GAAP, which is going to be generally accepted accounting principles to do accounting and making sure that we're doing this the right way from a financial services perspective. We have HIPAA/ HITECH. We have ISO standards for the ISMS, the Information Security Management Service or system rather, that could be setup. So we ISO guidance in here. We have ITAR for weapons of mass destruction and technology control for export. We have the Jericho Forum. We have the Mexico federal law on protection of personal data held by private parties, NERC CP for the utilities and power generation area. We have NIST guidance. We have all sorts of stuff. The New Zealand information security solution is here. We have PCI DSS as well, the latest version. All of that is here. You've got an incredible amount of information cross walking here, telling you what the reference from CCM is in any one of these control frameworks. So, for instance, in PCI DSS Version 3, control elements 6 and 6.5 maps to this exact control in CCM. That's what it's telling us. And this allows the security professional to be able to go in and to understand how to apply guidance from different vendors, different areas, different focal points, and bring it together to understand how to build a more secure system and provide more secure framework guidance and therefore, direction and ultimately, security as we use. This is an incredibly powerful tool. You should look at the CCM if you are not familiar with it. You should become familiar with it to understand what it represents ad what it does. It will give you a lot of capabilities as a cloud-focused security professional to be able to interact and to be able to understand this information, will be a good idea for you to become at least passingly familiar with the Cloud Security Alliance, just so you know what it is, what it represents. The fact that the CCM is a valuable reference tool is something you should certainly look at outside of the exam in the professional world that you engage and actually pursue your activities in. But remember, this is not a cloud security exam even though we're focusing on cloud security as one element of our discussion here overall. But remember, mile wide, inch deep. This is one area in a very, very large number of conversations we're having. I'll not get too crazy with something like the CCM, spent a lot of time on it for the exam, but I would certainly want to be passingly aware of it if I was you with regards to what it represents. That would be helpful of course. We want to think about that and be aware of that. The CCM security domains, I'm just going to quickly show you what they are even though we're not going to spend a lot of time on them. I showed you just one, the Application Interface Security Area. There's a total of three slides here I have. Quickly, I'm going to put up on the screen just to give you a sense of what the coverage in the CCM is because I would have to scroll down an entire document that's several hundred cells long to give you everything. So I want to show you what they are. You quickly take a look at them as I put them up, and I'm talking to you. This is the second set right here. Things like Data Centre Security, Human Resources, Governance and Risk Management. I've got Mobile Security, Security Incident Management, E-Discovery. Got Threat and Vulnerability Management. Got all sorts of security domains in here. Lot of coverage, lot of information, lot of tools, lot of capabilities. These are all areas that ultimately we want to be responsible for and have time to understand how to interact with as a security professional. So, when you look at the CCM, you want to make sure you understand the scope of coverage here. It's incredibly broad. So, remember that. Remember that we can get a lot of guidance in these areas when you come up against an issue or a concern related to cloud computing.
